how many iptables rules can a VPS have

Discussion:

(too old to reply)

Northwind

2024-05-24 22:20:01 UTC

Hello

I have been using a KVM vps with 2G ram, 2 cores.
due to fail2ban jobs, iptables in this vps has dropped 3000+ black IPs.
may I ask how max iptables rules the VPS can have?
does many iptables rules influence the networking performance?

Thanks

Andy Smith

2024-05-24 22:30:01 UTC

Permalink

Hi,

Post by Northwind
I have been using a KVM vps with 2G ram, 2 cores.
due to fail2ban jobs, iptables in this vps has dropped 3000+ black IPs.
may I ask how max iptables rules the VPS can have?

It depends upon the kind of rule but for a typical fail2ban rule I'd
expect the number to be in the tens or hundreds of millions range
for a host with 2G memory.

Post by Northwind
does many iptables rules influence the networking performance?

Yes. Each rule consumes memory and checking against all rules uses
more and more CPU on each incoming packet.

You will likely get better performance if you switch to nftables and
use an ipset to hold all the bans, though I've no idea how easy
that is to configure with fail2ban.

Also if you switched to blackhole routes (which would block all
traffic, not just TCP on the SSH port) that is likely to be less CPU
work for the kernel too. I believe that's the "route" action in
fail2ban.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Michael Grant

2024-05-25 06:10:01 UTC

Permalink

Post by Andy Smith
You will likely get better performance if you switch to nftables and
use an ipset to hold all the bans, though I've no idea how easy
that is to configure with fail2ban.

It's easy, supported out of the box. I have been using nftables for years with f2b. Cleaner looking, easier to read rules, structured syntax. I like it.

I can't speak to the performance, i don't have any way to test that.

Michael Grant